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(57) Abstract 



A method for multiplication of a point P on elliptic curve 
E by a value k in order to derive a point kP comprises the steps 
of representing the number k as vector of binary digits stored in a 
register and forming a sequence of point pairs (PI, P2) wherein the 
point pairs differed most by P and wherein the successive series 
of point pairs are selected either by computing (2mP,(2m+1)P) 
from (mP,(m+l)P) or ((2m+l)P,(2m+2)P) from (mP,(m+l)P). The 
computations may be performed without using the y-coordinate of 
the points during the computation while allowing the y-coordinate to 
be extracted at the end of the computations, thus, avoiding the use of 
inversion operations during the computation and therefore, speeding 
up the cryptographic processor functions. A method is also disclosed 
for accelerating signature verification between two parties. 
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ACCELERATED FINITE FIELD OPERATIONS 
ON AN ELLIPTIC CURVE 

This invention relates to a method of accelerating operations in a finite field, and in 
particular, to operations performed in a field F 2 . such as used in encryption systems. 

BACKGROUND OF THE INVENTION 

Finite fields of characteristic two in F 2 „ are of interest since they allow for the 
efficient implementation of elliptic curve arithmetic. The field F 2 „ can be viewed as a 
vector space of dimension m over F 2 . Once a basis of F 2 „ over F 2 has been chosen the 
elements of F 2 „ can be conveniently represented as vectors of elements zero or one and of 
length m. In hardware, a field element is stored in a shift register of length m. Addition of 
field elements is performed by bitwise XOR-ing ( © ) the vector representations and takes 
one clock cycle. 

Digital signatures are used to confirm that a particular party has sent a message and 
that the contents have not been altered during transmission. 

A widely used set of signature protocols utilizes the ElGamal public key signature 
scheme that signs a message with the sender's private key. The recipient may then verify 
the signature with the sender's public key. 

Various protocols exist for implementing such a scheme and some have been 
widely used. In each case however the recipient is required to perform a computation to 
verify the signature. Where the recipient has adequate computing power this does not 
present a particular problem but where the recipient has limited computing power, such as 
in a "Smart card » application, the computations may introduce delays in the verification 
25 process. 

Public key schemes may be implemented using one of a number of groups in which the 
discrete log problem appears intractable but a particularly robust implementation is that 
utilizing the characteristics of points on an elliptic curve over a finite field. This 
implementation has the advantage that the requisite security can be obtained with 
relatively small orders of field compared with for example with implementations in Z/ 
and therefore reduces the bandwidth required for communicating the signatures. 
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In a typical implementation a signature component s has the form: 

s = ae -1- k (mod n) where: 
P is a point on the curve, which is a predefined parameter of the system; 
k is a random integer selected as a short term private or session key, and has a 
5 corresponding short term public key R = kP; 

a is the long term private key of the sender and has a corresponding public key aP 

= Q; 

e is a secure hash, such as the SHA hash function, of a message m and short term 
public key R; and 
10 n is the order of the curve. 

The sender sends to the recipient a message including m, s, and R and the signature is 
verified by computing the value R' = (sP-eQ) which should correspond to R. If the 
computed values are equivalent then the signature is verified. 

In order to perform the verification it is necessary to compute a number of point 
15 multiplications to obtain sP and eQ, each of which is computationally complex. 

If F q is a finite field, then elliptic curves over F q can be divided into two classes, 
namely supersingular and non-supersingular curves. If F q is of characteristic 2, i.e. 
q = 2 M , then the classes are defined as follows. 

i) The set of all solutions to the equation y 2 + ay = x 3 + bx + c where 
20 a t b,ceF q ,a*0, together with a special point called the point at infinity O is a 

supersingular curve over F r 

ii) The set of all solutions to the equation 

y 2 + xy = x 3 + ax 2 + b where a,b^F q ,b*0, together with a special point called the point 
at infinity O is a nonsupersingular curve over F q . 
25 By defining an appropriate addition on these points, we obtain an additive abelian 

group. The addition of two points P( Xj , y,) and Q( x 2 ,y 2 ) for the supersingular elliptic 

curve E with y 2 + ay = x 3 + bx + c is given by the following:- 

If P = (xi.y g )*E\ then define = + a;, P + 0 = 0 + P = P for all PeE . 
30 If Q = (x 2 > y 2 ) e E and Q * - P , then the point representing the sum of P + Q , is 

denoted (x3>y 3 )> where 
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yj = |*/©|x/©^j©jcj©jcj (P = Q) 

Now supersingular curves are preferred, as they are more resistant to the MOV 
attack. It can be seen that computing the sum of two points on E requires several 
5 multiplications, additions, and inverses in the underlying field F im . In turn, each of these 
operations requires a sequence of elementary bit operations. 

When implementing cryptographic operations in ElGamal or Diffie-Hellman 
schemes or generally most cryptographic operations with elliptic curves, one is required to 
compute kP = P + P + ... + P (P added k times) where k is a positive integer and P e E . 
10 This requires the computation of (x 3 ,y 3 ) to be computed k-1 times. For large values of k 
which are typically necessary in cryptographic applications, this has previously been 
considered impractical for data communication. If k is large, for example 1024 bits, kP 
would be calculated by performing 2 1024 additions of P. 

Furthermore, in a multiplicative group, multiplications and inversions are 
1 5 extremely computationally intensive, with field inversions being more expensive than field 
multiplications. The inversion operation needed when adding two points can be 
eliminated by resorting to projective coordinates. The formula for addition of two points 
however, requires a larger number of multiplications than is required when using affine 
coordinates. 

20 In a paper entitled "Elliptic Curve Cryptosystems and Their Implementation" by 

Vanstone et al., published in The Journal of Cryptology, a method is described for adding 
two points by converting to projective coordinates and thus eliminating the inversion 
computation. However, the overall gain in speed by elimination of the inversion is at the 
expense of space. Extra registers are required to store P and Q and also to store 

25 intermediate results when doing the addition. Furthermore, this method requires the use of 
the y-coordinate in the calculation. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide a method and apparatus 
30 in which some of the above disadvantages are obviated or mitigated. 
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It is a. further object of the invention to provide a method of multiplying finite field 

elements, and which may be implemented relatively efficiently on a processor with limited 

processing capability, such as a smart card or the like. 

It is a still further object of the present invention to provide a method and apparatus 

in which signature verification may be accelerated in elliptic curve encryption systems. 
In accordance with this invention there is provided a method of determining a 

multiple of a point P on an elliptic curve defined over a field F 2 „ , said method comprising 

steps of; 

a) representing the number k as a vector of binary digits 

b) forming a pair of points P, and P 2 , wherein the point P, and P 2 differ at most by 
P; and 

c) selecting each of the in turn and for each of the k it 

upon the k, being a one, adding the pair of points P, and P, to form a new 
point P, and adding the point P to P, to form a new point P 2 , the new points 
replacing the pair of points P, and P 2 ; or 

upon the k, being a zero, doubling the point P, to form a new point P, and 
adding the point P to form a new point P 2 , the new points replacing the pair 
of points P, and P 2 , whereby the product kP is obtained from the point P, 
in M-l steps and wherein M represents the number of digits in k. 
Furthermore, the inventors have implemented a method whereby computation of a 

product kP can be performed without the use of the y coordinate of the point P during 

computation. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Embodiments of the present invention will now be described by way of example 
only with reference to the accompanying drawings in which: - 

Figure 1 is a schematic representation of a data communication system; 
Figure 2 is a schematic diagram of an encryption/decryption unit; 
Figure 3 is a flow chart for computing a multiple of a point; 
Figure 4 is a flow chart showing the extraction of an y-coordinate; 
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DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

Referring to Figure 1, a data communication system 2 includes a pair of 
correspondents, designated as a sender 10, and a recipient 12, connected via a 
communication channel 14. Each of the correspondents 10, 12 includes an 
encryption/decryption unit 16 associated therewith that may process digital information 
and prepare it for transmission through the channel 14 as will be described below. The 
encryption/decryption units implement amongst, others key exchange protocols and an 
encryption/decryption algorithm. 

The module 16 is shown schematically in Figure 2 and includes an arithmetic logic 
unit 20 to perform the computations including key exchange and generation. A private 
key register 22 contains a private key, d, generated for example as a 155 bit data string 
from a random number generator 24, and used to generate a public key stored in a public 
key register 26. A base point register 28 contains the co-ordinates of a base point P that 
lies in the elliptic curve selected with each co-ordinate (x, y), represented as a 155 bit data 
string. Each of the data strings is a vector of binary digits with each digit being the 
coefficient of an element of the finite field in the normal basis representation of the co- 
ordinate. 

The elliptic curve selected will have the general form y 2 + xy = x 3 + ax 2 + b and the 
parameters of that curve, namely the coefficients a and b are stored in a parameter register 
30. The contents of registers 22, 24, 26, 28, 30 may be transferred to the arithmetic unit 20 
under control of a CPU 32 as required. 

The contents of the public key register 26 are also available to the communication 
channel 14 upon a suitable request being received. In the simplest implementation, each 
encryption module 16 in a common secure zone will operate with the same curve and base 
point so that the contents of registers 28 and 30 need not be accessible. If further 
sophistication is required, however, each module 16 may select its own curve and base 
point in which case the contents of registers 28, 30 have to be accessible to the channel 14. 

The module 16 also contains an integer register 34 that receives an integer 
k, the session seed, from the generator 24 for use in encryption and key exchange. The 
module 16 has a random access memory (RAM) 36 that is used as a temporary store as 
required during computations. 

In accordance with a general embodiment, the sender assembles a data string, 
which includes amongst others, the public key Q of the sender, a message m, the senders 
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short term public key R and a signature component s of the sender. When assembled the 
data string is sent over the channel 4 to the intended recipient 12. 

For simplicity it will be assumed that the signature component s of the sender 12 is 
of the form s = ae + k (mod n) as discussed above although it will be understood that other 
5 signature protocols may be used. To verify the signature sP-eQ must be computed and 
compared with R. 

Thus a first step of the recipient is to retrieve the value of Q from the string. A 
hash value e may also be computed from the message m and the coordinates of the point 
R. The recipient is then able to perform the verification by computing sP and eQ. 
1 0 In order to accelerate the calculation of sP or eQ the recipient may adopt the 

following to calculate the coordinates of the new point sP, in order to avoid performing the 
several multiplications, additions and inverses in the underlying field F 2 m . The recipient 
may calculate sP by resorting to the expedient of a "double and add" method as shown in 
figure 3. 

15 Referring to figure 3 one embodiment of the invention illustrating a "double and 

add" method for multiplication a point P on an elliptic curve E by a value k in order to 
derive a point kP is implemented by initially representing k in its binary form. Next a 
successive series of point pairs (mP, (m+l)P) are set up. Each successive digit of* is 
considered in turn, upon the occurrence of a zero value digit in the binary representation of 
20 k, the first of the pair of points is doubled and one is added to the second of the pair of 

points i.e compute (2mP,(2m+l)P) from (mP,(m+l)P). Alternatively upon the occurrence 
of a one value in the binary representation of k, the first of the pair is formed from the sum 
of the previous pair of points and the second of the pair is formed by adding one to the first 
of the pair i.e. compute ((2m+l)P,(2m+2)P) from (mP,(m+l)P). 
25 This is illustrated in the following short example: in which k = 23. The value of k 

may be represented in binary as pairs (1 1011). Applying the above rule to a pair of points 
(P, 2P) we get the successive sequence of point, (2P, 3P); {5P, 6P); {UP, 12P); and 
finally (23P, 24P). The first of the pair is thus the required point. 

Thus, it may be seen the final result 23P is obtained by performing a series of 
30 "double and add" operations on a pair of points in the field wherein the pair of points in a 
given pair differ by P. Furthermore the number of "double and add" operations equals at 
most one less than the number of bits in k i.e. (m - 1) times. This method of "double and 
add" has a distinct advantage for large values ofk in reducing the number of operations to 



7 



WO 99/49386 PCT/CA99/00254 

be performed by a processor. This may be contrasted with performing k double and adds 
on a single point P as described earlier in the background of the invention. 

Turning back to the calculation of sP and eQ, the recipient may thus apply the 
above embodiment to calculating sP for the nonsupersingular elliptic curve 
y + xy = x 3 + ax 2 + b , E defined over F 2 „ . 

If P, = (x„ y,) and P 2 = (x 2 , y 2 ), P, * ± P 2 , are points on the curve E then we can 
define P, + P 2 = (x 3 , y 3 ) where, 

xi = A 2 + A + x\ + X2 + a 

(i) 

wherein the slope of the curve is given by: 

X2 + XI 

Similarly, if -P 2 = (x 2) y 2 +x 2 ) and P,- P 2 = (x 4 , y 4 ) then, 

X4 = A 2 +I + xi + X2 + a = A 2 + - X +A + ^— + x.+x 2 +a 

(x,+jr 2 ) Xi +x 2 

(2) 

where 

X 2 +X t X2 + X1 

if we add x 3 and x 4 then, 

x x, x\xz 



X3 + X4 = 



(JC, +X 2 f X x + X 2 (XI + X2) 2 

(3) 

To compute the x-coordinate x 3 of (P, + P 2 ) we only need the x-coordinates of P, , 
P 2 and (P, -P 2 ), however the computation is not optimally efficient as it requires 
inversions. It may also be noted that the y-coordinate is not needed in these calculations. 

Referring back to figure 2, the value kP may be calculated using the '"double and 
add" method. Whenever a new pair of points is computed the addition formula of 
equation (3) above is used and this is done m times. 

Thus we have a formula for x 3 involving x„ x 2 and x A . Unfortunately, this formula 
includes an inversion, which is costly. We can modify this equation as follows, suppose 
the values of x„ x 2 and x 3 are given by , i ,± , where of x„ x 2 , x 3 z„ z,, z 3 are values 
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maintained during the double and add algorithm. Then substituting these new 
representations into formula (3), we find 



x t x 2 



^- = x A + £l£2_ = x + x \ x 2 z i z 2 _ x 4 (x t z 2 + x 2 z x ) 2 + x i x 2 z i z 2 

z > ($-+ X 2-) 2 4 (*i z 2 +* 2 *i) 2 (x i z 2 +x 2 z i ) 2 

Z, Z 2 

Therefore, if we take x 3 = x 4 (x.z, + x 2 z,) 2 + x.x.z.z,. and z 3 = (x,z 2 + x 2 z,) 2 . We can 
5 execute the "double & add" algorithm of figure 3 (using this new representation) and 
avoid the computation of an inversion for most of the algorithm. 

From equations for x 3 and z 3 above it may be seen that x 3 may be calculated by 
performing at most four multiplication operations. 

The sum of the points P, and P 2 are expressed in terms of x 3 and z 3 is obtained 
1 0 without having to perform a relatively costly inversion on the x-coordinate, and can be 
computed using at most four multiplies and two squares. The remaining operations of 
addition and squaring are relatively inexpensive with regard to computational power. The 
computation of the term (xiz 2 + *2Z,) 2 is obtained by a cyclic shift of the normal basis 
representation of the value within parentheses for which a general-purpose processor can 
1 5 perform relatively easily. At the end of the algorithm we can convert back to our original 
representation if required. 

Referring back to figure 3, now in order to double point P (x„ y,), let 2(x„ y,) = 
(x 3 , y 3 ) then as before if the equation of the elliptic curve E is given by 
y 2 +xy = x 3 +ax 2 + b over F 2 m , the x-coordinate of the point 2P is represented as 
20 Xi = Xl * + b 

X] 

Once again representing the coordinates in terms of the projective coordinates we 

obtain 

X3 = x* +bzi 4 

and 

25 z 3 = (x iZi y 

or 

* 3 = (*i + ^6z, ) 

By making b relatively small the computationally expensive operations may be 
reduced to approximately one multiplication operation for the z 3 term. We can 
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precompute y[b and calculate x 3 according to the last equation, thus requiring two less 
squares. Alternatively, as mentioned earlier in a normal basis representation the 
computation of x, 4 and z, 4 is obtained by two cyclic shifts of the representation of the 
respective values, while (x,z,) 2 is obtained by a single cyclic shift of the product. 
5 Applying the earlier outlined "double and add" method of figure 3, we observe that 

for a scalar k of m bits and calculation of kP defined over F 2 m requires at most (m-1) 
double and add operations. From the above discussion a double operation on points of an 
elliptic curve are achieved by performing at most two multiplication operations, while the 
add operation is achieved by performing at most four multiplication operations. Thus to 

10 compute the x-coordinate of kP using the method of this invention would require at most 
six times (m-1) multiplication operations. 

Once the x values have been calculated, as above, y-coordinate values may also be 
determined. However, for each x-coordinate there exists at most two y-coordinates. For 
example, in the final step of obtaining a point 24P, both points 23P and P would be 

15 known, since 24P may be expressed as 23P + P = 24P. Assume the x-coordinate x 23 of the 
point A = 23P have been obtained as described earlier. Then, by substituting x 23 into the 
elliptic curve equation E and solving the resulting quadratic equation, two values of y are 
obtained corresponding to points A = (x 23 , y 23 (I) ) and B = (x 23 , y 23 (2) ). Next, by substitution, 
the x-coordinate x 24 obtained through calculating 24P = P + 23P into the elliptic curve 

20 equation will produce two points (x 24 , y 24 (,) ) and (x 24 , y 24 (2) ). The two points thus obtained 
are stored. To the point A + B are added, point P using ordinary point addition to produce 
corresponding points A + P = (x a , y a ) and B + P = (x b , y b ), respectively. Point (x a , yj is 
compared to points (x 24 , y 24 (,) ) and (x 24 , y 24 (2) ), respectively. If none of the points match, 
then (x b , y b ) is the correct point, otherwise (x a , y a ) is the correct point. Thus, it may be 

25 seen that multiples of a point P may be easily calculated without knowing the y-coordinate 
and, furthermore, the y-coordinate may be obtained at the end of the calculation, if so 
desired. 

Thus, for example referring back to the ElGamal scheme for elliptic curves one is 
required to compute r = kP =(x,y). In this case one can drop the y-coordinate and produce 
30 a hash of a message m and the x-coordinate e = h(m//x). The sender then sends to a 

recipient a message including a signature s and the hash e. The signature s has the form s 
= (de + k) mod n, where d is the private key of the sender and k is a random number 
generated by the sender. The recipient then verifies the signature by calculating sP -eQ = 
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r. Both sP and eQ may be calculated by utilizing the "double and add" method of this 
invention. The x values of sP and eQ each produce two possible values of y: (x„ y, (, >), ( x „ 
y, (2) ) and (x 2 , y 2 (I >), (x 2 , y 2 < 2) ) when substituted back into the elliptic curve equation E. 
When the point subtraction is performed between permutations of these points, the correct 
y will thus produce the appropriate matching r. If none of these substitutions produce a 
matching r, then the signature is not verified. 

Referring to figure 4, a schematic diagram of a further method for determining the 
y-coordinate of kP derived according to the method described with respect to figure 3, and 
given the point P = (x, y) and the x-coordinate x of (*-7)P and x' of kP is shown generally 
by numeral 50. As may be noted with respect to figure 3 in computing the x-coordinate of 
kP the x-coordinate of (k-l)P is also calculated. 

Thus, initially substitute into the elliptic curve equation to obtain a value of y' such 
that the point (x'.y') is on the curve. Next at step 54 assign the point Q to (x'.y'). Next 
complete a point Q-P = (x",y") by simple point subtraction 55. The derived x-coordinate 
x" is compared to the x-coordinate x of (k-1) at step 56 and if x" = x, then y' is the y- 
coordinate of *P, otherwise y' is the y-coordinate of -*P. It may be noted that this method 
works if 0 < k < order of point P. 

Utilizing the method of the subject invention to compute kP it is also possible to 
compute (*+/)P such that the x-coordinates on kP and (*+/)P are available. In this case 
the y-coordinate may be derived by computing Q+P = (x", y") and comparing the 
coordinate x" to the x-coordinate of (k+l)P. 

Referring to figure 5, a further application of an embodiment of the invention to 
verification of elliptic curve signatures is indicated generally by numeral 70. Once again it 
is assumed that the first correspondent 1 0 includes a private key random integer d and a 
corresponding public key Q derived from computing the point Q = dP. In order to sign a 
message M, a hash value e is computed from the message M using a hash function H. 
Next, a random integer k is selected as a private session key. A corresponding public 
session key kP is calculated from the random integer k. The first correspondent then 
represents the x-coordinate of the point kP as an integer z and then calculates a first 
signature component r = z mod n. 

Next, a second signature component * = k' (e + dr) mod n is also calculated. The 
signature components s and r and a message M is then transmitted to the second 
correspondent 12. In order for the second correspondent 12 to verify the signature (r,s) on 
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Af, the second correspondent looks up the public key Q of the first correspondent 10. A 
hash e' of the message M is calculated using the hash function H such that e' = H(M). A 
value c = s' J mod n is also calculated. Next, integer values w 7 and u 2 are calculated such 
that u } = e'c woJ n and u2 = rc mod n. In order that the signature be verified, the value 
UfP + w 2 £? must be calculated. Since P is known and is a system wide parameter, the value 
u,P may be computed quickly using pre-computed multiple of P. For example, these 
values may be combined from a pre-stored table of doubles of P, i.e. 2P t 4P, 8P, etc. On 
the other hand however, the point Q is current and varies from user to user and, therefore, 
the value u 2 Q may take some time to compute and generally cannot be pre-computed. 

However, by resorting to the expedient of the method disclosed in the subject 
invention, verification of the signature may be significantly accelerated. Normally, the 
point R = UjP + u 2 Q is computed. The field element x of the point R = (x,y) is converted , 
to an integer z, and a value v = z mod n is computed. If v == r, then the signature is valid. 

Alternatively, a technique which takes advantage of "double & add" to compute 
u 2 Q if the modular inverse of u 2 is calculated u/.Uj" 1 mod n, then R can be expressed as 
u 2 (u, u 2 *P + Q), i.e. making use of the identity u 2 u 2 * = 1. The value u, u/is an integer and, 
therefore, may be easily computed. Thus, the point u, u/P may be easily calculated or 
assembled from the previously stored values of multiples of P. The point Q is then added 
to the point u, u 2 *P, which is a single addition, to obtain a new point R' . 

Thus, in order to verify the signatures, the recipient need only to determine the x 
coordinate of the value ufl '. This calculation may be performed using the "double and 
add" method as described with reference to figure 3. If this is equal to r, then the signature 
is verified. The resulting value is the x-coordinate of the point u f P + u 2 Q. The value v = 
x mod n is computed and verified against r. It may be noted that in this scheme, the y- 
coordinate is not used in signature generation or verification and, hence, computing is not 
mandatory. However, alternative schemes for both x and y-coordinates may be utilized in 
these cases and the y coordinate may be derived as described earlier or the two y- 
coordinates corresponding to the given x-coordinate may be calculated and each used to 
attempt to verify the signature. Should neither satisfy this comparison, then the signature 
is invalid. That is, since verification requires computing the point R = U,P + U 2 Q. This 
can be done as follows. Transmit only the x coordinate of Q, compute the x-coordinate of 
U 2 Q„ by using either the "double & add" of figure 3 or on E(F p ). Try both points 
corresponding to this x-coordinate to see if either verifies. 
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Referring back to figure 1 if keys are transferred between the correspondents of the 
form kP then to reduce the bandwidth it is possible for the sender to transmit only one of 
the co-ordinates of kP and compute the other co-ordinate at the receiver. For example if 
the field elements are 155 bits for F 2 ,ss , an identifier, for example a single bit of the 
correct value of the other co-ordinate, may also be transmitted. This permits the 
possibilities for the second co-ordinate to be computed by the recipient and the correct one 
identified from the identifier. 

Referring therefore to Figure 1, the transmitter 10 initially retrieves as the public 
key dP of the receiver 12, a bit string representing the co-ordinate x 0 and a single bit of the 
co-ordinate y 0 . 

The transmitter 10 has the parameters of the curve in register 30 and therefore may 
use the co-ordinate x 0 and the curve parameters to obtain possible values of the other co- 
ordinate y 0 from the arithmetic unit 20. 

For a curve of the form y 2 + xy = x 3 + ax 2 + b and a co-ordinate x 0 , then the 
possible values y„y, for y 0 are the roots of the quadratic y 2 + x 0 y = x 0 3 + ax 0 2 + b. 

By solving for y, in the arithmetic unit 20 two possible roots will be obtained and 
comparison with the transmitted bit of information will indicate which of the values is the 
appropriate value of y. 

The two possible values of the second co-ordinate (y 0 ) differ by x 0 , i.e. y, = y 2 +x 0 . 
Since the two values of y 0 differ by x 0 , then y, and y 2 will always differ where a " 1 - occurs 
in the representation of x 0 . Accordingly the additional bit transmitted is selected from one 
of those positions and examination of the corresponding bit of values of y 0 , will indicate 
which of the two roots is the appropriate value. 

The receiver 10 thus can generate the co-ordinates of the public key dP even 
though only 156 bits are retrieved. 

Similar efficiencies may be realized in transmitting the session key kP to the 
receiver 12 as the transmitter 10 need only forward one co-ordinate, x 0 and the selected 
identifying bit of y 0 . The receiver 12 may then reconstruct the possible values of y 0 and 
select the appropriate one. 

In the field Fy it is not possible to solve for y using the quadratic formula as 2a = 
0. Accordingly, other techniques need to be utilised and the arithmetic unit 20 is 
particularly adapted to perform this efficiently. 
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In general provided x 0 is not zero, if y = x 0 z then x 0 2 z 2 + x 0 2 z = x 3 0 + ax 0 2 + b. This 
may be written asz 2 + z = x 0 + a+ -^-l=c. 
i.e. z 2 + z = c. 

If m is odd then either z = c + c 4 + c ,6 +...+ c 2nH 

or z = 1 + c + + c 2ml to provide two possible values for y 0 . 

A similar solution exists for the case where m is even that also utilises terms of the 
form c 2 ' . 

This is particularly suitable for use with a normal basis representation in/r^ . 

As noted above, raising a field element in F r to a power g can be achieved by a g 
fold cyclic shift where the field element is represented as a normal basis. 

Accordingly, each value of z can be computed by shifting and adding and the 
values of y 0 obtained. The correct one of the values is determined by the additional bit 
transmitted. 

The use of a normal basis representation in F 2 m therefore simplifies the protocol 
used to recover the co-ordinate y 0 . 

If P = (x 0 y 0 ) is a point on the elliptic curve E : y 2 + xy = x 3 + ax 2 + b defined over a 
field F r • then Yo is defined to be 0 if x 0 = 0; if x 0 * 0 then y 0 is defined to be the least 
significant bit of the field element yo-Xo" 1 

The x-coordinate x 0 of P and the bit y 0 are transmitted between the transmitter 10 
and receiver 12. Then the y-coordinate y 0 can be recovered as follows. 

1 . If x 0 = 0 then y 0 is obtained by cyclically shifting the vector representation 
of the field element b that is stored in parameter register 30 one position to 
the left. That is, if 6 = b m _ x b m _ 2 ..b x b Q then y = b m _ 2 ...b x b 0 b m _, 

2. If x 0 * 0 then do the following: 

2.1 Compute the field element c = x 0 + a + bx 0 " 2 in F 2 m . 

2.2 Let the vector representation of c be 

C = C m-l C m-2*" C 1 C 0- 

2.3 Construct a field element z = z^z^.z^o by setting 

Zo=y 0 > 

2, = C 0 © Z 0 , 
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Z, = C, © Z„ 
k. 

Z m-2 = C nv . 3 © Z m . 3> 
Zni-l = C m-2 ® Z m-2- 

2.4 Finally, compute y 0 = x 0 • z. 

It will be noted that the computation of Xo 2 can be readily computed in the 

arithmetic unit 20 as described above and that the computation of y 0 can be obtained from 
the multiplier 48. 

In the above examples, the identification of the appropriate value of y 0 has been 
obtained by transmission of a single bit and a comparison of the values of the roots 
obtained. However, other indicators may be used to identify the appropriate one of the 
values and the operation is not restricted to encryption with elliptic curves in the field 
GF(2 m ). For example, if the field is selected as Z p p = 3(mod 4) then the Legendre symbol 
associated with the appropriate value could be transmitted to designate the appropriate 
value. Alternatively, the set of elements in Zp could be subdivided into a pair of subsets 
with the property that if y is in one subset, then -y is in the other, provided y*0. An 
arbitrary value can then be assigned to respective subsets and transmitted with the co- 
ordinate x 0 to indicate in which subset the appropriate value of y 0 is located. Accordingly, 
the appropriate value of y 0 can be determined. Conveniently, it is possible to take an 
appropriate representation in which the subsets are arranged as intervals to facilitate the 
identification of the appropriate value of y 0 . It may be noted that one of the methods 
described earlier may also be sued to derive the coordinate. 

These techniques are particularly suitable for encryption utilizing elliptic curves 
but may also be used with any algebraic curves and have applications in other fields such 
as error correcting coding where co-ordinates of points on curves have to be transferred. 

It will be seen therefore that by utilising an elliptic curve lying in the finite field 
GF 2 m and utilising a normal basis representation, the computations necessary for 
encryption with elliptic curves may be efficiently performed. Such operations may be 
implemented in either software or hardware and the structuring of the computations makes 
the use of a finite field multiplier implemented in hardware particularly efficient. 
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In a further embodiment of the invention for improving the efficiency of 
computing scalar multiples of an elliptic curve point in F p or F 2 m is described below. 
Consider the generalized elliptic curve equation E : y 2 + xy = x 3 + ax 2 + b,b * 0 over F 2 m. 

UP=(x„y 1 ) is a generator, then using the method as described with respect to 
figure 3 and projective coordinates, we get kP, (k+l)P where k is the scalar and 
kP=(X 2 ,Z,), (k+lJP^Xj.ZJ. 

Our objective is to determine the affine coordinates of kP=(x 2 ,y J. We know, of 
X, 

course, that = — - 

Z 2 

Suppose the affine coordinates of (k+l)P=(x 3 ,y s ). 

Then, x 3 = A 2 + A + x, +x 2 + a,A = % + y2 

jc, +x 2 

A 2 +A + ( Xl + x 2 ) I a - y * + y * + ( *' + x * )( ^' + ^ 2 > + (x ' + *2 )3 + e^l + *a ) 2 

(*. + x 2 ) 2 

= iyl +x l y 2 +x 2 y i + x 2 y 2 + x 2 x 2 + jc,x 2 2 + x 3 2 +ax 2 } 

(*i+* 2 ) 

_ ^> + b + x t y 2 + x 2 y x + x 2 x 2 +x } xl) 
(x, +x 2 ) 2 

_ x t y 2 +x 2 y, + x^x, +x 2 x 2 
(x, +x 2 ) 2 

_ x,y 2 + x 2 y, + x,x 2 (x, +x 2 ) 
(x, +x 2 ) 2 

Solving for^ 2 we get 

y 2 =^r\x 3 (x ] +x 2 ) 2 +x 2 y, + x,x 2 (x, +x 2 )} (*) 

We know x, and y, but must compute 

X 2 X, 
X-, = — - and x, = — - 



Z 2 ' Z 3 

These require two inversions and two multiplications. 
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Rewriting gives 
v, =(jc, +* 2 )j- 




^-[X 3 (x, + x 2 ) + y } ] + x 2 1 + y t 
r [X 3 ( X] +x 2 ) + Z 3 y } ] + x 2 1 + y> 



To compute this quantity requires inverting x,Z 3 _ and Z 2 and then 4 multipli 
Since x,Zj costs one multiply, the total is 2 inversions and 5 multiplies. 

The Odd Characteristic Case: 
E : y 2 = x 3 +ax + b 



- y\ ~ 2y,y 2 + y 2 - (x t + x, )(x, - x, ) 2 

(*2-*,)' 

= y\ - 2y,y 2 + y] - (*, + x 2 ){ x ] - ix x x 2 + x 2 ) 

= y\ - ^y 2 - x,x 2 2 + 2xfx 2 - x 3 2 + 2 Xl x 2 2 - x 2 x 2 

_ ax 2 +b + ax l +b-2y,y ? - X} x 2 +x 2 x, +2x,x 2 
(*2-*,) 

Solving to y 2 gives: 

2y t y 2 = ~x 3 (x 2 - Xi ) 2 + ax 2 + 2b + ax, + x x x\ + x 2 x 2 





or 



x,) 2 +a(x 2 + Xl ) + 2b + Xl x 2 (. 




17 



WO 99/49386 



PCT/CA99/00254 



Replacing x 3 we get: 



*2 



yi =T-^-{ Z 3(*. + x 2 )(a + x,x 2 )-X 2 (x 2 -x,) 2 } 



1 0 Similarly, in the field Fp, 
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30 



y~ — x + ax + b 
Xj = A. 2 — x ] - x 2 
y 3 =1 ( X] -x 3 )-y, 



15 A= y2 * (P2*P3) 



x 2 -x x 



2 2 
~ v -j- v v — 



-x\ + X 
(x 2 -x,) 2 



_ y\ - 2^,7 2 + y[ - x\ + x 2 x 2 + x, x 2 - xf 



_ ax 2 + b + ax l +b-2y l y 2 +x,x 2 (x 1 + x 2 ) 
(x 2 -x,) 2 

y 2 = tM(*i +x 2 )»(a + Xl x 2 ) + 2b-x 3 (x 2 -x t ) 2 ] 
x 2 = X 2 —,x y = X 3 — 

which means inversions plus seven multiplies or equivalently one inversion and 
thirteen multiplies 

3i+7m=li+13m 



If we replace x 3 , we have: 

x 2 = X 2 — 
Z 

^2 
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10 



In this case, we have two inversions plus eight multiplies or equivalently one 
inversion and eleven multiplies. 

The present invention is thus generally concerned with an encryption method and 
system and particularly an elliptic curve encryption method and system in which 
finite field elements is multiplied in a processor efficient manner. The encryption 
system can comprise any suitable processor unit such as a suitably programmed 
general-purpose computer. 



Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the 
1 5 art without departing from the spirit and scope of the invention as outlined in the 

claims appended hereto. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE 
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS 
FOLLOWS: 

A method of determining a multiple of a point P on an elliptic curve defined over a 
field F 2m , said method comprising steps of: 

(a) representing the number k as a vector of binary digits k f ; 

(b) forming a pair of points P, and P 2 , wherein the point P, and P 3 differ at 
most by P; and 

(c) selecting each of said £. in turn and for each of said k i9 

upon said k f being a one, adding said pair of points P, and P 2 to form a new 
point P l and adding said point P to P J to form a new point P 2J said new 
points replacing said pair of points P, and P 2 \ or 

upon said k f being a zero, doubling said point P i to form a new point Pj and 
adding said point P to form a new point P 2 , said new points replacing said 
pair of points P, and P 2 , whereby said product kP is obtained from said 
point P, in M-l steps and wherein M represents the number of digits in k. 

A method as described in claim 1, said elliptic curve being of the form / + xy = x 3 
+ ax 2 + b and said field being selected to have elements a 2 * (o < i < m) that 
constitute a normal basis. 

A method as described in claim 2, including the step of representing the co- 
ordinates of a point on said curve as a set of vectors, each vector representing a co- 
ordinate of said point and having m binary digits, each of which represents the 
coefficients of A 2 ' in the normal basis representation of said vector. 

A method as defined in claim 3, said adding of points P, and P 2 utilises only said x 
co-ordinates of said points P„ P 2 , and P,-P 2 . 

A method as defined in claim 4, said x co-ordinate of said added points is obtained 
by computing X3 + x* = where x„x 2 are the x coordinates of P, and P„ x, 

is the x coordinate of P,+ P 2 and x 4 is the x coordinate of P,-f\. 
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A method as defined in claim 5, including converting said coordinates to projective 
coordinates. 

A method as defined in claim 6, said coordinate x 3 being obtained by computing 

-Y3 = JCl 4 + bzi 4 . 

A method as defined in claim 4, including computing a y coordinate of said point 
kP from said x coordinate by utilising an x coordinate of said point (k-l)P and said 
point kP. 



9. A method as defined in claim 8, including computing a y coordinate of said point 
kP by substituting said x coordinate of kP in said elliptic curve equation.. 

1 0. A method of transferring the co-ordinates of a point on an algebraic curve between 
a pair of correspondents connected by a data communications link comprising the steps of 
forwarding from one correspondent to another a co-ordinate of said point, providing at 
said other correspondent parameters of said algebraic curve, and computing at said other 
correspondent said other co-ordinate from said one co-ordinate and said algebraic curve. 

11. A method according to claim 1 0 including the step of forwarding with said one co- 
ordinate identifying information of said other co-ordinate and utilising said identifying 
information and a discriminating function to determine the appropriate value of said other 
co-ordinate. 



12. A method according to claim 1 1 wherein said identifying information is a digital 
bit of said other co-ordinate that identifies the appropriate value of said other co-ordinate. 

13. A method according to claim 1 2 wherein said algebraic curve is an elliptic curve of 
the form y 2 + xy = x 3 + ax 2 + b and said other co-ordinate is determined by solving a 
quadratic equation to provide two possible values of said other co-ordinate, said 
identifying information indicating the appropriate one of said values. 
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14. A method according to claim 13 wherein said identifying information is a digital 
bit of said other co-ordinate that identifies the appropriate value of said other co-ordinate. 

15. A method according to claim 14 wherein said algebraic curve is an elliptic curve of 
the form y 2 + xy = x 3 + ax + b defined over a finite field F 2 m . 

16. A method according to claim 15 including the step of forwarding with said one co- 
ordinate identifying information of said other co-ordinate and utilising said identifying 
information and a discriminating function to determine the appropriate value of said other 
co-ordinate. 



1 7. A method according to claim 1 6 wherein said field GF2 m has field elements A* that 
constitute a normal basis. 

18. A method according to claim 1 7 wherein said other co-ordinate is determined by 
solving a quadratic equation to provide two possible values of said other co-ordinate, said 
identifying information indicating the appropriate one of said values. 

19. A method according to claim 18 wherein said quadratic equation is solved by 

summing terms of the form c 2 * from g = 0 to g = m- 1 where c = x 0 + a + — and x 0 is 

XI 

said one co-ordinate. 

20. A method according to claim 19 wherein terms of the form c 2 ' are obtained by g 
fold cyclic shifts of the normal basis representation of c. 

21 . A method according to claim 20 wherein said algebraic curve is defined over the 
field Zp and said identifying information indicates the Legend symbol of the 
appropriate value. 

22. A method according to claim 21 wherein said curve is defined over the field zp and 
the elements thereof subdivided into a pair of subsets, one of which contains one 



22 



WO 99/49386 PCT/CA99/00254 

possible value and the other of which contains the other possible value, said 
indicating information identifying the subset containing the appropriate value. 



23. A method for determining a multiple k of a point P having co-ordinates (x t y) on an 
elliptic curve, said method comprising the steps of: 

(a) x-co-ordinate of the sum of two points P 2 and P h whose difference is known; 

(b) computing the ^-co-ordinate x 3 of a sum of points P, and P 2 from the x-co- 
ordinates of P, P f and P 2 , wherein the difference between said points P, and P, 
isP; 

(c) applying said computation over k iterations to obtain the x-co-ordinates of a 
pair of points kP and (k+l)P\ 

(d) using said x-co-ordinate of kP and (k+l)P to obtain a j>-co-ordinate of kP. 

24. A method as defined in claim 23, said elliptic curve being defined over a field Fjn. 

25. A method as defined in claim 23, said elliptic curve being defined over a field Fp, 

26. A method as defined in claim 24, said y-co-ordinate being obtained by using affine 
co-ordinates of kP and (k+l)P. 

27. A method as defined in claim 24, said ^-co-ordinate being obtained by computing 

where Xj is the x-co-ordinate of (k+l)P, and x 2 is the x-co-ordinate of kP y and ^,=^- 

Z 

and x, = — - . 
7 

28. A method as defined in claim 25, said ^-co-ordinate being obtained by computing 
yi = • • [<*, + x 2 ), (a + x,x 2 ) + 2*] - * 3 (* 2 - *, ) 2 } 
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where x 3 is the x-co-ordinate of (k+l)P, and x 2 is the x-co-ordinate of kP, and x 2 = — 2- 
and x, = — - . 
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for /' = 2 to m do 
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